- Enaya Nihal
Politics of Privacy: What happens when data falls into the wrong hands?
By ENAYA NIHAL
Since the COVID-19 pandemic, we have become more aware than ever that companies and governments are constantly monitoring our health and related data. Nowadays, where bodies (especially women’s) are still used as battlegrounds for religious/political/ideological wars, data on everything from menstrual cycles to prescriptions is more valuable than ever.
In mid-late October, Medibank, an Australian private health insurance company, was contacted for ransom by a hacker group claiming to have over 9.7 million users’ data- everything from their legal names and addresses to mental health disorders. Medibank refused to pay it, citing extortion and no guarantees that the data would not be leaked anyway. This massive data breach has had real consequences for people whose private information is now circling the dark web. It also highlighted the state’s role in regulating such catastrophes.
First, the Russian hacker group (REvil) released “good” and “naughty” lists of customer identification data--- “abortions” (which included miscarriages and any complications that put the mother’s life at risk), “boozy” (related to all alcohol consumption), “psycho” (mental illness-related). Another tranche of data on mental health treatments & chronic conditions was also released.
The Australian Federal Police, Commonwealth agencies, and the Five Eves Law Enforcement partnered to investigate the data breach since the first publication. Simultaneously, Operation Guardian focused on mitigating the impacts of the data breach on victims (as it has been doing with Optus). According to Guardian Australia, the attack occurred due to “the compromise of high-level credentials giving access to Medibank’s systems”.
Medibank’s CEO, David Koczkar, has apologised profusely to customers and shareholders- but that does little to soothe customers whose personal health procedures are available for the world to scrutinise. Medibank has reached out to the 480,000 customers whose health claims have been stolen.
The breach puts women at a higher risk of being targeted and publicly shamed. If a similar breach occurred in the United States, those women might be in legal trouble. Mentally ill individuals may suffer worse anxiety and uncertainty due to the “psychos” file. Some individuals still don’t know that their data is being circulated on the dark web.
Australian government officials and authorities, including the Prime Minister, have condemned the “morally reprehensible and criminal” attack and have vowed to go after the perpetrators, working with Interpol and signposting victims to support services.
In Australia, consumer rights regarding privacy are unclear at the judicial level- corporations have exploited this in the past. Now, a class action against Medibank has over 21,000 people interested. Especially “individuals whose relationships or jobs could be at risk if medical records relating to abortions, addiction or mental health crises become public”, according to Newhouse, who calls for an overhaul of the Privacy Act and stricter laws.
There is a consensus that this is an example of market failure due to a lack of regulation by the Australian government. The government passed legislation to increase financial penalties for data privacy violators in late November. The Australian Prudential Regulation Authority (APRA) also said it had “intensified” its supervision of Medibank & that Deloitte had been brought in to examine the situation. According to Bloomberg Intelligence, the data breach could cost Medibank A$700 million if compromised customers sue the company for damages.
This case serves as a reminder, not just to people registered with a private health insurer but to everyone who has provided data to anyone. Nowadays, our lives are so digitised that it’s easy to miss how governments and firms record and store almost everything we do as data points and cookies. Medibank’s data breach sets a dangerous precedent. It rightly terrifies people worldwide, especially those living in countries with strict restrictions on reproductive rights, who are likely to be at risk if their private health procedures are made public.
This brings us back to the question of trust- how can we trust our clinics, insurance companies, and governments with our data when it has been proven that a group of cybercriminals can steal and release our data without facing repercussions (so far)? Especially when the cyber black market could very well be the third-largest economy in the world. It’s a question many are still trying to conceptualise, let alone answer.
Image: The English News/ Flickr